Re: [Snort-devel] mailing feature

From: Erek Adams <erek(at)snort.org>
Date: Thu Jul 31 2003 - 09:38:20 EDT

On Thu, 31 Jul 2003, Mario Ohnewald wrote:

> Found it!!

You're really making a mistake by doing that.

Instead log to syslog or /var/log/alert and have something like Swatch handle the checking and sending of emails. If you don't you're really going to create a problem. Each time you make a call to system, you're running the risk of Snort blocking. From the man page "...returns after the command has been completed." If you have 4 packets that come in at roughly the same time, and all 4 packets generate an alert, you'll end up with something like this: Alert1 is generated, system call, creation of a new process, execution of the new process, destruction of process, control now returns to Snort where Alert2 is about to be generated. The cycle repeats... Consider the fact that if you are waiting on a system call to return, you're not going to be able to sniff packets.

By all means do what's best for you and your environment. Just be forewarned that you could really hurt yourself by doing it that way.

Cheers!

---

Erek Adams

   "When things get weird, the weird turn pro." H.S. Thompson

---

This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01

---

Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel Received on Thu Jul 31 09:43:34 2003